Refer: https://github.com/rust-lang/cargo/commit/15f1e4b0bf4b4fc20369e0a85d9b77957c4dd52a https://build.opensuse.org/package/show/SUSE:SLE-15-SP3:Update/rust1.62 From 15f1e4b0bf4b4fc20369e0a85d9b77957c4dd52a Mon Sep 17 00:00:00 2001 From: Josh Triplett Date: Thu, 18 Aug 2022 17:17:19 +0200 Subject: [PATCH] CVE-2022-36113: avoid unpacking .cargo-ok from the crate --- src/tools/cargo/src/cargo/sources/registry/mod.rs | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/tools/cargo/src/cargo/sources/registry/mod.rs b/src/tools/cargo/src/cargo/sources/registry/mod.rs index 3142e71..5357e9c 100644 --- a/src/tools/cargo/src/cargo/sources/registry/mod.rs +++ b/src/tools/cargo/src/cargo/sources/registry/mod.rs @@ -607,6 +607,13 @@ impl<'cfg> RegistrySource<'cfg> { prefix ) } + // Prevent unpacking the lockfile from the crate itself. + if entry_path + .file_name() + .map_or(false, |p| p == PACKAGE_SOURCE_LOCK) + { + continue; + } // Unpacking failed let mut result = entry.unpack_in(parent).map_err(anyhow::Error::from); if cfg!(windows) && restricted_names::is_windows_reserved_path(&entry_path) { @@ -621,16 +628,15 @@ impl<'cfg> RegistrySource<'cfg> { result.chain_err(|| format!("failed to unpack entry at `{}`", entry_path.display()))?; } - // The lock file is created after unpacking so we overwrite a lock file - // which may have been extracted from the package. + // Now that we've finished unpacking, create and write to the lock file to indicate that + // unpacking was successful. let mut ok = OpenOptions::new() - .create(true) + .create_new(true) .read(true) .write(true) .open(&path) .chain_err(|| format!("failed to open `{}`", path.display()))?; - // Write to the lock file to indicate that unpacking was successful. write!(ok, "ok")?; Ok(unpack_dir.to_path_buf()) -- 2.27.0